Port Bonding

When using a passive or active LAN tap and not an “aggregator” or “mirror port” for monitoring network traffic, both the ‘incoming’ and ‘outgoing’ channels need to be bonded together for IDS systems such as Bro to process as a single network flow channel. This setup involves using a technique called bonding to take two physical interfaces and bond them together, creating a logical interface that we can use for Snort as an example. These instructions assume you are using Linux and more specifically some Debian distribution such as Ubuntu.

Port Bond

Network Interfaces

A network monitor machine has a minimum of two network interfaces which will be bonded into a single logical interface by software. Many times, a third NIC interface will be present on a monitor machine, which can be used for remote access (management port). Normally, we will use an integrated NIC port as the management port and a 3rd-party NIC with dual ports as the monitoring ports. The monitoring ports are connected to the LAN Tap and the packet flow is rejoined internally via port bonding (software-based).

Determine Assigned Network Interfaces to Physical Ports

First, you need to figure out which interface corresponds to the physical NIC ports.

Shell

1

2

ifconfig-a

You should see that the 2 interfaces on the dual NIC share similar MAC addresses.

For an additional way to make the determination, install bmon and view live network data flow.

Shell

1

2

3

sudo apt-getinstall bmon

bmon

You should see data flowing to the one connected to the Internet (the management port) and NOT the tap interfaces (monitoring ports).

Note which interfaces should be assigned to the management and monitoring ports. For example: em0, p1p1 and p1p2 respectively.

Create Bonded Interface

Now we manually setup the bonded interface.

Shell

1

2

3

4

sudo apt-getinstall bridge-utils

sudo brctl addbr br0

sudo brctl addif br0 p1p1 p1p2

Troubleshooting Bridge

Shell

1

2

3

sudo brctl delbr br0

brctl show

We now have our bond, but it’s not persistent yet. For that we need to manually update ‘/etc/network/interfaces’: